Details

Updated apache and httpd packages which fix a number of security issues arenow available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0.

The Apache HTTP Web Server is a secure, efficient, and extensible webserver that provides HTTP services.

Buffer overflows in the ApacheBench support program (ab.c) in Apacheversions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow amalicious Web server to cause a denial of service (DoS) and possiblyexecute arbitrary code via a long response. The Common Vulnerabilities andExposures project has assigned the name CAN-2002-0843 to this issue.

Two cross-site scripting (XSS) vulnerabilities are present in the errorpages for the default "404 Not Found" error and for the error responsewhen a plain HTTP request is received on an SSL port. Both of these issuesare only exploitable if the "UseCanonicalName" setting has been changed to"Off", and wildcard DNS is in use. These issues could allow remoteattackers to execute scripts as other webpage visitors, for instance, tosteal cookies. These issues affect versions of Apache 1.3 before 1.3.26,versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before2.8.12. (CAN-2002-0840, CAN-2002-1157)

The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior toversion 1.3.27, allows a user running as the "apache" UID to send aSIGUSR1 signal to any process as root, resulting in a denial of service(process kill) or other such behavior that would not normally be allowed. (CAN-2002-0839). Note that this issue does not affect Red HatLinux 8.0.

All users of the Apache HTTP Web Server are advised to upgrade to theapplicable errata packages. For Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3,these packages include Apache version 1.3.27 which is not vulnerable tothese issues. For Red Hat Linux 8.0, the fixes have been back-ported andapplied to Apache version 2.0.40.

Note that the instructions in the "Solution" section of this errata containadditional steps required to complete the upgrade process.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs which arenot installed but included in the list will not be updated. Note that youcan also use wildcards (*.rpm) if your current directory *only* containsthe desired RPMs.

Please note that this update is also available via Red Hat Network. Manypeople find this an easier way to apply updates. To use Red Hat Network,launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriateRPMs being upgraded on your system.

After the errata packages are installed, restart the Web service by runningthe following command: